djvu | fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10-20220414-en
submitted
04-05-2022 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3.exe
Size

233KB
MD5

74bf6d85eae00e32437fdc455179b965
SHA1

212de5612bab8a57eb6670b60199b96c3932b60a
SHA256

fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3
SHA512

6ac3e8f1abc24f5a887f2abaff5d55b8eaee3da8e53bc04d992b1ba68b8784e981a5259031737de80795e14bd49281de8a344d869c6724ae764a1ec549df424d

Score

10^/10

djvu smokeloader vidar 517 937 backdoor collection discovery persistence ransomware spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://monsutiur4.com/

http://nusurionuy5ff.at/

http://moroitomo4.net/

http://susuerulianita1.net/

http://cucumbetuturel4.com/

http://nunuslushau.com/

http://linislominyt11.at/

http://luxulixionus.net/

http://lilisjjoer44.com/

http://nikogminut88.at/

http://limo00ruling.org/

http://mini55tunul.com/

http://samnutu11nuli.com/

http://nikogkojam.org/

rc4.i32

Extracted

Family

vidar

Version

Botnet

937

https://t.me/hollandracing

https://busshi.moe/@ronxik321

Attributes

profile_id
937

Extracted

Family

djvu

http://ugll.org/lancer/get.php

Attributes

extension
.egfg
offline_id
QcVY9rkapJoL3nQkZAsvfTFVYLmscrM1v1QxGWt1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6Ti2DxXR3I Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0474JIjdm

rsa_pubkey.plain

Extracted

Family

vidar

Version

Botnet

517

https://t.me/hollandracing

https://busshi.moe/@ronxik321

Attributes

profile_id
517

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3488-153-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3488-154-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3488-156-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4828-157-0x0000000002380000-0x000000000249B000-memory.dmp	family_djvu
behavioral1/memory/3488-158-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3488-159-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4900-168-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4900-169-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4900-166-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/4900-174-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata

Vidar Stealer 8 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/4304-124-0x0000000002030000-0x000000000207D000-memory.dmp	family_vidar
behavioral1/memory/4304-125-0x0000000000400000-0x00000000004F3000-memory.dmp	family_vidar
behavioral1/memory/4444-179-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/4444-180-0x000000000042103C-mapping.dmp	family_vidar
behavioral1/memory/2752-183-0x00000000005B0000-0x00000000006FA000-memory.dmp	family_vidar
behavioral1/memory/4444-184-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/4444-182-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/4444-185-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

37C9.exe66F8.exe66F8.exe66F8.exe66F8.exebuild2.exebuild2.exe

pid process

4304 37C9.exe
4828 66F8.exe
3488 66F8.exe
3084 66F8.exe
4900 66F8.exe
2752 build2.exe
4444 build2.exe
Deletes itself 1 IoCs

Processes:

pid process

3200
Loads dropped DLL 4 IoCs

Processes:

37C9.exebuild2.exe

pid process

4304 37C9.exe
4304 37C9.exe
4444 build2.exe
4444 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2348 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4304	37C9.exe
4828	66F8.exe
3488	66F8.exe
3084	66F8.exe
4900	66F8.exe
2752	build2.exe
4444	build2.exe

pid	process
3200

pid	process
4304	37C9.exe
4304	37C9.exe
4444	build2.exe
4444	build2.exe

pid	process
2348	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

66F8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c7d9d4d2-7101-4cf7-ae15-438a4da5b317\\66F8.exe\" --AutoStart"	66F8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 api.2ip.ua
30 api.2ip.ua
35 api.2ip.ua

flow	ioc
29	api.2ip.ua
30	api.2ip.ua
35	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

66F8.exe66F8.exebuild2.exe

description	pid	process	target process
PID 4828 set thread context of 3488	4828	66F8.exe	66F8.exe
PID 3084 set thread context of 4900	3084	66F8.exe	66F8.exe
PID 2752 set thread context of 4444	2752	build2.exe	build2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

37C9.exebuild2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	37C9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	37C9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

66F8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	66F8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	66F8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3.exe

pid	process
3744	fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3.exe
3744	fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3.exe
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3200
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3.exe

pid process

3744 fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3.exe
3200
3200
3200
3200

pid	process
3200

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

66F8.exe66F8.exe66F8.exe66F8.exebuild2.exe

description	pid	process	target process
PID 3200 wrote to memory of 4304	3200		37C9.exe
PID 3200 wrote to memory of 4304	3200		37C9.exe
PID 3200 wrote to memory of 4304	3200		37C9.exe
PID 3200 wrote to memory of 4828	3200		66F8.exe
PID 3200 wrote to memory of 4828	3200		66F8.exe
PID 3200 wrote to memory of 4828	3200		66F8.exe
PID 3200 wrote to memory of 5024	3200		explorer.exe
PID 3200 wrote to memory of 5024	3200		explorer.exe
PID 3200 wrote to memory of 5024	3200		explorer.exe
PID 3200 wrote to memory of 5024	3200		explorer.exe
PID 3200 wrote to memory of 4148	3200		explorer.exe
PID 3200 wrote to memory of 4148	3200		explorer.exe
PID 3200 wrote to memory of 4148	3200		explorer.exe
PID 4828 wrote to memory of 3488	4828	66F8.exe	66F8.exe
PID 4828 wrote to memory of 3488	4828	66F8.exe	66F8.exe
PID 4828 wrote to memory of 3488	4828	66F8.exe	66F8.exe
PID 4828 wrote to memory of 3488	4828	66F8.exe	66F8.exe
PID 4828 wrote to memory of 3488	4828	66F8.exe	66F8.exe
PID 4828 wrote to memory of 3488	4828	66F8.exe	66F8.exe
PID 4828 wrote to memory of 3488	4828	66F8.exe	66F8.exe
PID 4828 wrote to memory of 3488	4828	66F8.exe	66F8.exe
PID 4828 wrote to memory of 3488	4828	66F8.exe	66F8.exe
PID 4828 wrote to memory of 3488	4828	66F8.exe	66F8.exe
PID 3488 wrote to memory of 2348	3488	66F8.exe	icacls.exe
PID 3488 wrote to memory of 2348	3488	66F8.exe	icacls.exe
PID 3488 wrote to memory of 2348	3488	66F8.exe	icacls.exe
PID 3488 wrote to memory of 3084	3488	66F8.exe	66F8.exe
PID 3488 wrote to memory of 3084	3488	66F8.exe	66F8.exe
PID 3488 wrote to memory of 3084	3488	66F8.exe	66F8.exe
PID 3084 wrote to memory of 4900	3084	66F8.exe	66F8.exe
PID 3084 wrote to memory of 4900	3084	66F8.exe	66F8.exe
PID 3084 wrote to memory of 4900	3084	66F8.exe	66F8.exe
PID 3084 wrote to memory of 4900	3084	66F8.exe	66F8.exe
PID 3084 wrote to memory of 4900	3084	66F8.exe	66F8.exe
PID 3084 wrote to memory of 4900	3084	66F8.exe	66F8.exe
PID 3084 wrote to memory of 4900	3084	66F8.exe	66F8.exe
PID 3084 wrote to memory of 4900	3084	66F8.exe	66F8.exe
PID 3084 wrote to memory of 4900	3084	66F8.exe	66F8.exe
PID 3084 wrote to memory of 4900	3084	66F8.exe	66F8.exe
PID 4900 wrote to memory of 2752	4900	66F8.exe	build2.exe
PID 4900 wrote to memory of 2752	4900	66F8.exe	build2.exe
PID 4900 wrote to memory of 2752	4900	66F8.exe	build2.exe
PID 2752 wrote to memory of 4444	2752	build2.exe	build2.exe
PID 2752 wrote to memory of 4444	2752	build2.exe	build2.exe
PID 2752 wrote to memory of 4444	2752	build2.exe	build2.exe
PID 2752 wrote to memory of 4444	2752	build2.exe	build2.exe
PID 2752 wrote to memory of 4444	2752	build2.exe	build2.exe
PID 2752 wrote to memory of 4444	2752	build2.exe	build2.exe
PID 2752 wrote to memory of 4444	2752	build2.exe	build2.exe
PID 2752 wrote to memory of 4444	2752	build2.exe	build2.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3.exe
"C:\Users\Admin\AppData\Local\Temp\fa35418f18e541c0dddb9e19893ea0677133f47ee8a4871c35984c3ceb21cac3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3744

C:\Users\Admin\AppData\Local\Temp\37C9.exe
C:\Users\Admin\AppData\Local\Temp\37C9.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4304

C:\Users\Admin\AppData\Local\Temp\66F8.exe
C:\Users\Admin\AppData\Local\Temp\66F8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\66F8.exe
C:\Users\Admin\AppData\Local\Temp\66F8.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c7d9d4d2-7101-4cf7-ae15-438a4da5b317" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2348

C:\Users\Admin\AppData\Local\Temp\66F8.exe
"C:\Users\Admin\AppData\Local\Temp\66F8.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\66F8.exe
"C:\Users\Admin\AppData\Local\Temp\66F8.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Local\ec731366-20da-4ae6-adeb-e86da754fc3a\build2.exe
"C:\Users\Admin\AppData\Local\ec731366-20da-4ae6-adeb-e86da754fc3a\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\ec731366-20da-4ae6-adeb-e86da754fc3a\build2.exe
"C:\Users\Admin\AppData\Local\ec731366-20da-4ae6-adeb-e86da754fc3a\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4444

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:5024

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
Filesize
326KB

MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
Filesize
141KB

MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
727B

MD5
d7f7c80fe97665d703c4060cb969e8bc

SHA1
39f1cdd78563e6139c4212644d3190a8359290eb

SHA256
34f78e2112650156ff1e9f3ab156f8a12cf68aa00e2a6f25ca41ba88e2429a40

SHA512
6d420aafab6cd5c273b5ae1446d1b9861dae388b2bc50b219c11efdd1f58a05c03d89fbb36b3bb3e0bde79974311c2e6997899e89f62811df54ed4a158f8c338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
1KB

MD5
c12271bdf471407067e390ea0b8c747e

SHA1
6be2a06d750f056e5732671008094952b1979162

SHA256
727a51b1ed47b01df41a4b808196796855c7405e7bcd35af4561cd217eec316c

SHA512
49c688eedc53904ee613cba6aadfb22c810136138c3f3c6ab1d69f9f17a4630ea76d09989f73bc0d5caf26271a9608663ab3db141fd34138d4916f5589bd94c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\738FBC066DBD9E6001113366624890A3_53C5D34017BDB72400155AC2819BA60D
Filesize
1KB

MD5
d57289fde7aea252f73116d62f95e7b0

SHA1
ff3b8a69b2f61d8b418749f81923c8b577a9e1c8

SHA256
40bcfacac1a043ec7e47c9aac4ec3f98fbcaab22b13371cfe385cd9a98a48a42

SHA512
4805259aa97470b7aac9dfc09c0bdad80265c8da86ec5804530eac25a6100aef36280a2cb7a1f9f6b64b6443970a5d1cfcd0f0f03a2937706b1c844730565448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
471B

MD5
36d45b330d5eef29217009ce51799d72

SHA1
e5a0735690fc198a2ab02c1a0b2487d5014cba9b

SHA256
a1e5b5827ed7bbafeb8c063542478e1dcd34d46c6e20aca3f07f95f503963b9c

SHA512
2acec052c274574f0d748d1d35753fa2b9327dcab72b2bb40025a0cd604b887345511f0a01a4b95c4f412df4753602159ddc724a499235490246a17d38a1fa42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
1KB

MD5
b0d92d6296c3d4d5f644858b1a077254

SHA1
5cda78c04d98b721bb44063d356fb063931b2b0c

SHA256
670cab4d60d44f69f64fd5cd113b30e3e5cb0178ef990255263109da4c450560

SHA512
81a37bcc8a765ec55b0b38936eca5c89b2c48a2ca958f1fbc72d45f1f22c35fe21e7bc44c28f8833202bc4a91100c2f3421354dede5cf9df41ca7e8426754f67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
402B

MD5
a8539fd99906a0982fc629df06149813

SHA1
52f604f17b5b1caffe9a59302b3e76c5b8f343ea

SHA256
e4a028639c5458e0cdfbfe8da8d10e42930532cf8b074ee721175e5fb7007772

SHA512
32421ddbfef08695d0eea74d49b42d736cc6ab8522b29660936099256a25b6a58901cc5d5c3f5d1e0704180bdf468c71b7353e67f5febd268046ab18fdbc952a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
450B

MD5
3247fafe07ba394d6be39d0c051a6b79

SHA1
779e16134de44f435a81977ec1b18411197f8d61

SHA256
3f3338953626487969db9e92425a1f2ab86935f23fc481e2b1f68d82c8c2a5f8

SHA512
e35cee2f51ba849de1834122bedd5b5045c3a2ca0ebd7f190097f3a4303aa0408be798edcc580af1641ff670a2b11515b3ae48ac40d2cd3bd22f26f7a0d6cfdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\738FBC066DBD9E6001113366624890A3_53C5D34017BDB72400155AC2819BA60D
Filesize
474B

MD5
f9164917e647906c79020f6fe7a9a65e

SHA1
40d1911be6a885d979d9430b73c8d91b19795aa9

SHA256
a4c2d63d7bc8a7891a46b4628423e981f02f7028df94c97b092df3f5e1c0c0e0

SHA512
e713fb1a02720fd0357944c3ea0043493cc06ae48113073f5dbaa6c832db4434f92b2d246945c55ab640c59da90d3308abf384502e19f0d9955f96388b6c5b0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
396B

MD5
76a7d71b8381e56105e9eefdd08cd6e0

SHA1
262c3de5d7fb69658f1bb91e1af3e282da7851a9

SHA256
deff998f354f48cc3dd62311b6e7a6342a7cee52a85994bfb0094597aa205d13

SHA512
73e455f11f48a012b182fab486e08aeb7e992831f8478635801015b520786d70d70f39d47d1a0cb1b6c58007d3b5ceb173f8315d9aca384332e1db6bfd6612b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
458B

MD5
8c384db9eeab7fe7bf15eabad377e458

SHA1
f37754349423b9c1663a6390bac10b4a790cf7dc

SHA256
1ca70c04d983c8002a1ff865898e9164ceff1941544babcf752bb265dadc4fac

SHA512
a7553d520d4d01f95bb483ed873191797b8c53153ae8f4aff15a4cdc1127573b7ca91edb89527ac490003555f21b8913477916d6e25d45f549e0c8c47b3649b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\4IPTT465.cookie
Filesize
102B

MD5
07291ebd58437509ed26b6fb3ce0a88d

SHA1
4af5ec8d4cfabbfd1ec6281ea38358814b4ff465

SHA256
13490201982a1599ef35918b040de84a88a0475e104f9670a917abbec28260d1

SHA512
1b15f409937cfdb6cb03ad916840eb394495bd35dae17dee2f7c81ecfaf3c4131b422a5d11251cf18953ff5d37f877d1e0a128a623442f30350156e5386d2763

Download Submit
C:\Users\Admin\AppData\Local\Temp\37C9.exe
Filesize
382KB

MD5
6e60a0575313cd554898528521d79ba6

SHA1
338d1999ca9aca6154c4c0af5c63fbf1f9a7a2ec

SHA256
2922cac5abce5af982972dfd6021f0b98dd897cc7d1bbc19394a9fc2244fc3b2

SHA512
df14c6c2c86644f5a7d2cef1d2bd3f7d2a2de1e37ca0e7bccc23ba85f3cf3b5b2d91a439615b90bbd6ce9cb3d4c4e457da33bd8b826582c3b0ef1453dd4a80de

Download Submit
C:\Users\Admin\AppData\Local\Temp\37C9.exe
Filesize
382KB

MD5
6e60a0575313cd554898528521d79ba6

SHA1
338d1999ca9aca6154c4c0af5c63fbf1f9a7a2ec

SHA256
2922cac5abce5af982972dfd6021f0b98dd897cc7d1bbc19394a9fc2244fc3b2

SHA512
df14c6c2c86644f5a7d2cef1d2bd3f7d2a2de1e37ca0e7bccc23ba85f3cf3b5b2d91a439615b90bbd6ce9cb3d4c4e457da33bd8b826582c3b0ef1453dd4a80de

Download Submit
C:\Users\Admin\AppData\Local\Temp\66F8.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\66F8.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\66F8.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\66F8.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\66F8.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\c7d9d4d2-7101-4cf7-ae15-438a4da5b317\66F8.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\ec731366-20da-4ae6-adeb-e86da754fc3a\build2.exe
Filesize
380KB

MD5
ba5461bef761e4e723c2567cfe710fe3

SHA1
92f94d48482ca2006caf4c50ac387d1b532e837b

SHA256
c9c82de52be77596153f54b192da4e91e671cc5ad01d6bfe0011fd8e9d5723fa

SHA512
24f0e12607ff0672c236e92193b659c5121059b5ae56545790830081835120aca464e003066455227d31ee8445787fdfbf90a8be29af9e837edbe7e808e11149

Download Submit
C:\Users\Admin\AppData\Local\ec731366-20da-4ae6-adeb-e86da754fc3a\build2.exe
Filesize
380KB

MD5
ba5461bef761e4e723c2567cfe710fe3

SHA1
92f94d48482ca2006caf4c50ac387d1b532e837b

SHA256
c9c82de52be77596153f54b192da4e91e671cc5ad01d6bfe0011fd8e9d5723fa

SHA512
24f0e12607ff0672c236e92193b659c5121059b5ae56545790830081835120aca464e003066455227d31ee8445787fdfbf90a8be29af9e837edbe7e808e11149

Download Submit
C:\Users\Admin\AppData\Local\ec731366-20da-4ae6-adeb-e86da754fc3a\build2.exe
Filesize
380KB

MD5
ba5461bef761e4e723c2567cfe710fe3

SHA1
92f94d48482ca2006caf4c50ac387d1b532e837b

SHA256
c9c82de52be77596153f54b192da4e91e671cc5ad01d6bfe0011fd8e9d5723fa

SHA512
24f0e12607ff0672c236e92193b659c5121059b5ae56545790830081835120aca464e003066455227d31ee8445787fdfbf90a8be29af9e837edbe7e808e11149

Download Submit
\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/2348-160-0x0000000000000000-mapping.dmp

Download
memory/2752-175-0x0000000000000000-mapping.dmp

Download
memory/2752-183-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/3084-162-0x0000000000000000-mapping.dmp

Download
memory/3200-118-0x0000000000F60000-0x0000000000F76000-memory.dmp

Filesize
88KB

Download
memory/3488-153-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3488-159-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3488-154-0x0000000000424141-mapping.dmp

Download
memory/3488-156-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3488-158-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3744-115-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download
memory/3744-116-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download
memory/3744-117-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4148-152-0x0000000000000000-mapping.dmp

Download
memory/4304-126-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4304-125-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4304-124-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/4304-123-0x00000000005C0000-0x000000000070A000-memory.dmp

Filesize
1.3MB

Download
memory/4304-119-0x0000000000000000-mapping.dmp

Download
memory/4444-182-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4444-185-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4444-184-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4444-180-0x000000000042103C-mapping.dmp

Download
memory/4444-179-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4828-147-0x0000000000000000-mapping.dmp

Download
memory/4828-157-0x0000000002380000-0x000000000249B000-memory.dmp

Filesize
1.1MB

Download
memory/4900-174-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4900-166-0x0000000000424141-mapping.dmp

Download
memory/4900-169-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4900-168-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5024-150-0x0000000000000000-mapping.dmp

Download